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(54) Method and arrangement in a communication network 



(57) The present invention relates to the problem of 
establishing of security that arises within an ad hoc net- 
work 



The problem is solved by using an optical device at 
a first device to read a public key that is encoded to a 
graphical string at a second device, which key is re- 
quired for establishing security. 
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Description 

FIELD OF INVENTION 

[0001] The present invention relates to the field of 
communication networks and more specifically to an ad 
hoc communication network and a method for establish- 
ing a security association in an ad hoc network. 

DESCRIPTION OF RELATED ART 

[0002] The fast growth of open networks with easy ac- 
cess has raised many security problems. Several secu- 
rity solutions for public networks like the Internet have 
appeared. Security is a problem in all kinds of open net- 
works both wired and wireless. Information transmitted 
over the air is extremely vulnerable. Security solutions 
can be based on pure symmetric key techniques or can 
be a combination of symmetric and asymmetric, so- 
called public key techniques. Common solutions today 
are built upon some type of so called Public Key Infra- 
structure (PKI). A public key infrastructure is a system 
used to distribute and check public keys that can be 
used to authenticate users, exchange session keys, 
sign information or encrypt information. 
[0003] A symmetric key establishing scheme is built 
on that some a priori secret is known by the involved 
parties in advance. In principle there are two types of 
systems, key establishment between two parties shar- 
ing a common secret and key establishment by using a 
third party, a Key Distribution Center (KDC). A typical 
requirement in any security application is performing 
mutual authentication and key exchange. If the two in- 
volved parties, like in the first system, are preconfigured 
with a common shared secret this can be obtained by 
using a standard symmetric key authentication and key 
exchange protocol. 

[0004] A well-known example of the latter system is 
the Kerberos protocol. A Keberos system is shown in a 
schematic block diagram in Figure 1 . A Keberos system 
includes a central authentication server, the KDC 101 
and several clients 102 and servers 103 whereof only 
one client 102 and one server 103 is depicted in Figure 
1 . When a client 102 in the network wants to exchange 
secure information with a server 103 in the network, a 
protocol that involves communication with the KDC 101 
according to the following steps: 

104. The client 102 sends a request including ran- 
dom number to the KDC 101 . 

105. The KDC 101 replies to the client 102 with en- 
crypted session key 

106. The client 102 sends the encrypted session 
key and authenticator to the server 103. 

1 07. The server 1 03 replies to the client 1 02 with an 
authenticator. This step is an optional step. 

The advantage with a system like the Kerberos system 



compared to mutual exchange is that each entity only 
needs to share one long lived key with the KDC. There 
is no need to share keys with all parties in the network. 
The only entity that needs to store several long-lived 
5 keys is the KDC. 

[0005] In a PKI system, two corresponding (also 
called asymmetric) keys are used in connection with 
protecting information. Information, which is encrypted 
with one of the two keys, can be decrypted only with the 

10 other key. In some PKI systems either of the two keys 
can be used to encrypt and the other to decrypt. In other 
systems, one key must be used only for encryption and 
the other for decryption. One important feature of PKI 
systems is that it is computationally unfeasible to use 

is knowledge of one of the keys to deduce the other key. 
In a typical PKI system, each of the systems possesses 
a set of two such keys. One of the keys is maintained 
private while the other is freely published. If a sender 
encrypts a message with the recipient's public key, only 

20 the intended recipient can decrypt the message, since 
only the recipient is in possession of the private key cor- 
responding to the published public key. If the sender, 
before performing the above encryption, first encrypts 
the message with the senders private key, the recipient, 

25 upon performing first a decryption, using the recipient's 
private key, then a decryption on the result, using the 
sender's public key, is assured not only of privacy but of 
authentication since only the sender could have en- 
crypted a message such that the sender's public key 

30 successfully decrypts it. In one digital signature scheme, 
one-way hash is first applied to a message and the hash 
of the message is encrypted with the sender's private 
key. 

[0006] A PKI distributes one or several public keys 

35 and determine whether a certain public key can be trust- 
ed for certain usage or not. A piece of digitally signed 
information is often called a certificate. Certificates are 
the basis upon which PKIs are built. 
The degree of confidence that the recipient has in the 

4o source of a message depends on the degree of the re- 
cipient's confidence that the sender's public key corre- 
sponds to a private key that was possessed only by the 
sender. In many current systems, a number of generally 
well trusted certification authorities have been estab- 

45 Nshed to provide this degree of confidence. 

A common certificate format is Standard X.509 (devel- 
oped by the International Standards Organisation (ISO) 
and the Comite Consultatif Internationale Telegraphique 
et Telephonique (CCITT)). Such a certificate may, e.g., 

50 include a public key, the name of subject who possesses 
or is associated with the public key, an expiration date, 
all of which are digitally signed by a trusted party. The 
digital signature may be provided e.g., according to the 
digital signature standard (DSS) (National Institute of 

55 Standards and Technology (NIST)). Typically a digital 
signature involves applying a one-way hash and then 
encrypting with the private key of, in this case, the cer- 
tification authority. Such digital signature is provided us- 
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ing the private key of the trusted party which, in turn, is 
authenticated using the trusted party's certificate signed 
by yet another trusted party, so that there may be a multi- 
level hierarchy of trusted parties. 
Another certificate format is Pretty Good Privacy (PGP) 
developed by P. Zim merman n and described in Internet 
Engineering Task Force (IETF) Open PGP Specifica- 
tion. PGP provides a way to encrypt and decrypt, sign 
data and exchange keys. Thus it is more than just a PKI. 
However, the main idea with PGP is that no strict PKI is 
needed. Instead the PGP users themselves create and 
extend the PKI they need. This is done by certifying oth- 
er users public keys, i.e., signing trusted public keys with 
their own secret key. In this way a "web of trust" is cre- 
ated. A particular key may have several different user 
IDs. Typically a user ID is an email address. If a revo- 
cation signature follows a key, the key is revoked. A user 
certifies another users key by signing it with one of the 
keys of his own, which has signing capability. When 
signing another key, different trust levels can be set, i. 
e., the amount of confidence the signer has in the signed 
key and user ID. 

[0007] Today, so-called ad hoc networks are used 
more and more frequently. An ad hoc network is estab- 
lished temporary for a special purpose. There is no fixed 
infrastructure; the nodes are the network. The nodes 
within the network are often mobile and using radio links. 
An ad hoc network might constitute dynamic wide area 
connectivity in situations such as military operations, 
rescue and recovery operations, and remote construc- 
tion sites. An ad hoc network might also constitute local 
area connectivity in situations such as temporary con- 
ference sites, home networks and robot networks. An 
ad hoc network might also constitute personal area net- 
works in situations such as interconnected accessories, 
ad hoc conference table and games. The nodes might 
consist of e.g. mobile phones, lap tops, television sets, 
washing machines In some situations like in military op- 
erations or business conferences when the communi- 
cation between the nodes comprises secrets, it is very 
important that a sender of a message can trust that the 
receiver really is the intended receiver. 
[0008] In the previous examples, bindings between 
public keys and names or authorisation are described. 
Several of these certificate solutions exist in different 
systems. However, it is not yet described how different 
certificates needed for different kinds of purposes are 
obtained. In the case of ordinary X.509 type of PKI with 
hierarchical Certificate Authority (CA) structures, finding 
the right certificate is done using some central on-line 
server or by direct transmission of the certificate at con- 
nection set up. When using PGP either the desired pub- 
lic key is stored locally on a machine or the device has 
to make a connection to a central PGP server in order 
to find the desired pubic key. This works if it is possible 
for entities that need some type of security relation to 
have on-line connections to some particular servers. 
This is not the case for ad hoc networks. Ad hoc net- 



works are created on the fly between entities that hap- 
pen to be at the same physical location. 
[0009] Although all the security techniques described 
earlier are very powerful and allow smooth and automat- 
5 ic security for many different use cases, they all have 
some problem when it comes to the special situation of 
human faces in an ad hoc network. 
[0010] Three different ad hoc scenarios will illustrate 
the shortcomings of the related art described above re- 

10 garding ad hoc security establishment. 

[0011] In the first scenario several people gather to- 
gether in a conference room and would like to share 
some information. Everybody in the conference room 
has a communication unit such as a laptop or a Personal 

15 Data Assistant (PDA) with wireless access to all the oth- 
er people in the room. The people in the room have not 
been in contact with each other previously. Now they 
would like to share some secret information using a cer- 
tain application in their device. How can this be 

20 achieved? 

[0012] In the second scenario, a person arrives at a 
new geographical location and comes to some vendor 
machine offering him or her some type of service, e.g. 
like a ticket or some food. The person has a paying de- 

25 vice with a wireless connection to the vendor machine. 
The company and the person have no previous relation 
to each other. How can a person transmit an electronic 
paying transaction (and thereby receive some product 
from the machine) to the vendor machine over the air 

30 interface? 

[001 3] Two different devices, e.g. a mouse and a Per- 
sonal Computer (PC), from two different vendors are 
connected to each other over a wireless link, in the third 
scenario. A person would like to "pair" these two devices 

35 so that they can communicate securely over the wire- 
less link. How can this be done in a user friendly and 
efficient way? 

[001 4] The symmetric key based key sharing mecha- 
nisms described above, all demands that some secret 

40 information is shared between the devices that want to 
communicate. At least there must be a secure chain like 
in Kerberos system that can be used to create a trust 
relation between two devices. A secure chain is e.g. 
when A and B do not trust each other, but A and C trust 

45 each other, and B and C trust each other so A and B can 
get a trust relationship via C. This is often hard to 
achieve for the first and second ad hoc scenario. Any- 
way, it would be very cumbersome to manually enter 
some secret information to all devices in the first sce- 

50 nario. In the third scenario it would be possible to enter 
some secret symmetric information into the two devices 
that the person would like to "pair" This is for example 
what is used in the security solution of the Bluetooth 
standard. However that means that if the device has no 

55 input channel, e.g. a mouse, a microphone etc., it must 
be pre configured with the secret information and this 
information must be kept secret. Otherwise, anybody 
can make a pairing of the device. Furthermore, if the 
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security level should be kept, the secret key of some 
certain device must be kept physically apart from the 
device. It is hard for humans to remember several Per- 
sonal Identification Number (PIN) codes or to store them 
in a good and secure way. 

[0015] A public key based system like the ones de- 
scribed above do not fit well into any of the scenarios 
described. If it should be possible to use a X.509 like 
certificate or a PGP key, a trusted party must sign the 
public key. In the first and second scenario it is not al- 
ways assumed that the parties share trusted public keys 
or have certificates signed by a third party that each par- 
ty trust. Also in the third scenario, certificates and public 
keys can not be used without some trust in the signature 
of the certificate or a public key and since the devices 
can come from any source it might be very hard to ad- 
ministrate distribution of trusted certificates to all possi- 
ble devices. 

[0016] Therefore, what is further needed is a way of 
making communications within an ad hoc network more 
secure. 

SUMMARY OF THE INVENTION 

[0017] The present invention relates to the require- 
ment of security in an ad hoc network. More particularly 
it relates to the problem of establishing of security that 
arises within an ad hoc network. 

The problems discussed are: 

[001 8] The symmetric key based key sharing mecha- 
nisms described above, all demands that some secret 
information is shared between the devices that want to 
communicate. This is often hard to achieve in ad hoc 
networks. 

A public key based system like the ones described 
above do not fit well into ad hoc networks, since a trusted 
party must sign the public key. It is unusual that the par- 
ties in an ad hoc network share trusted public keys or 
have certificates signed by a third party that each party 
trust. 

[001 9] Accordingly, it is an object of the present inven- 
tion to unravel the above-mentioned problem. 
[0020] The solution, according to the invention is to 
use an optical device to read a public key that is encoded 
to a graphical string, which key is required for establish- 
ing security. 

[0021] An ad hoc communications network according 
to the invention includes a f irst device and a second de- 
vice. These devices are communication devices, which 
might be a laptop, a mobile phone, a printer, a vendor 
machine etc. The first device is equipped with an optical 
device. The second device has a pair of keys, the key 
pair constituting a secret key and a public key. The pub- 
lic key is hashed to a bit string which bit string is encoded 
to a graphical string. The graphical string is visible for 
the user of the first device. The first device has a user, 
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e.g. the owner of the first device that trusts the second 
device. The first device wishes to authenticate the sec- 
ond device. The first device has means for reading the 
graphical string by means of the optical device and 

5 means for authenticating the second device by means 
of the read string including the public key. An ad hoc 
communications network according to this first aspect 
of the invention is hereby characterised by what are the 
features of claim 1 . 

w [0022] A method for establishing a security relation 
between a first device and a second device within an ad 
hoc communications network according to a second as- 
pect of the invention, includes the steps of: 

15 hashing the public key to a bit string; 

encoding the bit string to a graphical string; 
making the graphical string visible for the user of 
the first device, 

the first device obtaining the graphical string by 
means of the optical device, and 
the first device authenticating the second device by 
means of the obtained graphical string. 

A method according to this second aspect of the inven- 
tion is hereby characterised by what are the features of 
claim 6. 

[0023] An advantage of the present invention is that 
it is possible to achieve the necessary security associ- 
ations needed for distributing and sharing information 
among a group of users that happens to be at the same 
physical location. There are a large amount of applica- 
tions that fits in to this scenario. Among those can be 
mentioned people from different companies or organi- 
sations that gather in a conference room can share doc- 
uments with the meeting members. 
[0024] Another advantage of the present invention is 
that the number of manually created trust relations be- 
tween members in an ad hoc communication network is 
decreased. 

[0025] Yet another advantage of the present invention 
is that it makes it possible "pairing" devices in a secure 
way also in the case of a device lacking input channel. 
[0026] Yet another advantage of the present invention 
is that since the user physically interacts with the other 
device to get the trusted key, it is easier for the user to 
decide whether to trust a device or not. 
[0027] Yet another advantage of the present invention 
is that due to the simplicity of the solution, also people 
without much understanding of the rather complicated 
mathematics or principles of public keys, can make se- 
cure connections with their devices. 
[0028] Further scope of applicability of the present in- 
vention will become apparent from the detailed descrip- 
tion given hereinafter. However, it should be understood 
that the detailed description and specific examples, 
while indicating preferred embodiments of the invention, 
are given by way of illustration only, since various 
changes and modifications within the spirit and scope 
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of the invention will become apparent to those skilled in 
the art from this detailed description. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0029] Figure 1 relates to Prior Art and is thus de- 
scribed above under "Description of related art". 

Figure 1 shows a schematic block diagram of Ke- 

beros system. 
Figure 2 shows a schematic block diagram of an ad 

hoc communications network according to 

the invention. 

Figure 3 shows a flowchart of the method according 
to the invention. 

DESCRIPTION OF PREFFERED EMBODIMENTS 

[0030] The ad hoc communications network accord- 
ing to the invention constitutes e.g. a bluetooth network 
or a Wireless Local Area Network (WLAN). The ad hoc 
network comprises devices constituting e.g. Personal 
Data Assistants PDAs, lap tops, mice, mobile phones, 
vendor machines, paying devices, etc. each device 
comprising communication means. The devices are in- 
terconnected via communication links. 
[0031] Figure 2 shows a possible scenario of an ad 
hoc communications network N according to the inven- 
tion. The network N comprises a first device A with wire- 
less access to other devices within the network. The f irst 
device A might be e.g. a laptop. The first device A is 
connected to an optical device O over a secured chan- 
nel. The Optical device O reads information optically, i. 
e. code or text on paper or on an electronic slip, e.g. a 
LCD display. An example of such device is a so-called 
C Pen ™. 

The first device A also has a person that uses it, a user 
UA, e.g. the owner of the device. 
[0032] The user UA wishes to communicate with a 
second device B within the network N. The second de- 
vice B has a wireless access to other devices within the 
network and it might be e.g. a laptop, a vendor machine, 
a service device etc. The second device B might also 
have a user UB or might not, as in the case of constitut- 
ing a vendor machine or a service device. The second 
device B has one or several secret key-public key pairs. 
The public key might be contained in a certificate signed 
by a third party. The public key or certificate that an ar- 
bitrary device would like to use to authenticate itself to- 
wards the second device B and /or exchange keys, is 
hashed, using a cryptographic strong one-way-function 
(see A.J. Menzes, P.C. van Orschot and S.A. Vanstone, 
Handbook of Applied Cryptography, CRC Press, 1997) 
to a large enough (to provide enough cryptographic 
strength) bit string. The bit string is mapped by a one- 
to-one code to a suitable graphical string S, that is read- 
able for the optical device O. The graphical string S in 
some way visible for the user AU and the first device A, 



it might be printed on a card carried by the owner or user 
UB of the second device B, or it might be displayed on 
a slip, possibly electronic, physically attached to the sec- 
ond device B. 

5 [0033] The user UA requires to create a security as- 
sociation between his own first device A and the second 
device B. The user AU, who trusts the graphical string 
S, reads the graphical string S with the optical device O. 
The user UA trusts the graphical string e.g. if it is printed 
on a card that he got from user UB who he knows or 
trusts by any other means, or by recognising a trustwor- 
thy company trademark of a vendor machine on which 
the slip, displaying the graphical string, is attached. To 
simplify for a user to trust a slip displaying a string it can 
be constructed so that it is easy for a user to see that 
nobody has manipulated the slip or that there is some 
electronic protection of the slip that disables the second 
device B if somebody manipulates the slip. 
The read graphical string is transmitted from the optical 
device O to the first device A in a secure way, if they are 
in different entities. 

[0034] The first device A gets the graphical string. If 
later the device receives a public key or a certificate con- 
taining the public key that can be hashed to the string 
S, that public key or certificate will be treated as trusted. 
The first device A contacts the second device B and per- 
forms the security protocol. The security protocol used 
for authentication and shared key generation can be of 
any standard type like the Transport Layer Security 
(TLS) handshake protocol or the Internet Key Exchange 
Protocol (IKE). 

The first device A authenticates the second device B us- 
ing the public key that S is a graphical string of. If the 
second device B is able to proof that it holds a secret 
key corresponding to the public key that S is a graphical 
string of, the second device B is trusted by the first de- 
vice A. 

It is possible for the user UA to decide for how long and 
to what extend a public key corresponding to the graph- 
ical string should be trusted. In many situations this trust 
relation might last for a very short time period. 
[0035] In another example, both the first and the sec- 
ond devices A and B have a respective optical device 
and a respective key pair encoded into a respective 
graphical string being visible. So if the connection be- 
tween the first device A and the second device B is a 
mutual trusted connection, The first and the second de- 
vice A and B exchange secret session keys using trust- 
ed public keys. 

[0036] In an embodiment of the present invention the 
second device B constitutes a service device which has 
a network address. The service device C might be a 
printer, a camera, a projector, a pay machine etc. The 
first device A which wishes to connect to the service de- 
vice requires the network address. According to the 
present invention the graphical string S is mapped to the 
network address of the service device B. When the first 
device A reads the graphical string S by means of the 
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optical device O, it obtains the public key, but also the 
network address of the service device B. 
[0037] Figure 3 shows a flowchart of establishing a 
security relation between a first device and a second de- 
vice within an ad hoc communications network, accord- 
ing to the invention in a general mode. 
The first device having an optical device and the second 
device having a pair of keys constituting a secret key 
and a public key. 

The first device has a user that trusts the second device. 
The method comprises the following steps: 

301 . The public key is hashed to a bit string. 

302. The bit string is encoded to a graphical string. 

303. The graphical string is made visible for the user 
of the first device. 

304. The first device obtains the graphical string by 
reading the visible optical string by means of the 
optical device. 

305. The first device authenticates the second device 
by means of the obtained graphical string. 



Claims 

1 . An ad hoc communications network (N) comprising 

a first device (A) having an optical device (O) 
and 

a second device (B) having a pair of keys, 
the key pair constituting a secret key and a pub- 
lic key, 

the first device (A) having a user (U) that trusts 
the second device (B), 

characterised by 

the public key being hashed to a bit string, 
the bit string being encoded to a graphical 
string (S), 

the graphical string being visible for the user (U) 
of the first device (A), 

the first device (A) having means for obtaining 
the graphical string by means of the optical de- 
vice (O), 

the first device (A) having means for authenti- 
cating the second device (B) by means of the 
obtained string. 

2. The ad hoc communications network according to 
claim 1, characterised In that the first device (A) 
after receiving a public key from the second device 
(B), trusts that key if it can be hashed to the string 
(S). 

3. The ad hoc communications network according to 
claim 1 , wherein the second device (B) constitutes 
a service device having a network address charac- 



terised by the graphical string being mapped to the 
network address. 

4. The ad hoc communications network according to 
5 claim 3, characterised by the first device (A) having 

means for obtaining the network address, by means 
of the optical device (O). 

5. The ad hoc communications network according to 
10 claim 4, characterised by the first device (A) having 

means for connecting to the service device by 
means of the obtained network address. 

6. Method for establishing a security relation between 
15 a first device (A) and a second device (B) within an 

ad hoc communications network (N), 

the first device (A) having an optical device (O), 
the second device (B) having a pair of keys con- 
20 stituting a secret key and a public key, 

the first device (A) having a user that trusts the 

second device (B), 

the method comprising the steps of: 

25 - hashing the public key to a bit string; 

encoding the bit string to a graphical string 
(S); 

making the graphical string (S) visible for 
the user of the first device (A), 
30 - the first device (A) obtaining the graphical 

string (S) by means of the optical device 
(O), 

the first device (A) authenticating the sec- 
ond device (B) by means of the obtained 
35 graphical string (S). 

7. The method according to claim 6, wherein the first 
device (A) after receiving a public key from the sec- 
ond device (B), trusting that key if it can be hashed 

40 to the string (S). 

8. The method according to claim 6, wherein the sec- 
ond device (B) constitutes- a service device having 
a network address comprising the further step of: 

45 mapping the graphical string to the network ad- 
dress. 

9. The method according to claim 8, comprising the 
further step to be taken by the first device (A): ob- 

50 taining the network address, by means of the optical 
device (O). 

10. The method according to claim 9, comprising the 
further step to be taken by the first device (A): 

55 connecting to the service device by means of the 
obtained network address. 
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